Beware Typhoid Adware

Computer scientists have identified a novel approach to spreading adware.

Computer security researchers at the University of Calgary have developed a way to distribute adware without having to convince potential victims to install the adware on their computers.

The researchers -- associate professor John Aycock, assistant professor Mea Wang, and students Daniel Medeiros Nunes de Castro and Eric Lin -- call their attack as "Typhoid Adware" because it spreads like a contagion from an infected computer to other computers connected to the same WiFi hotspot or wired network.

"Not only are ads annoying but they can also advertise rogue antivirus software that's harmful to your computer, so ads are in some sense the tip of the iceberg," said Aycock in a statement.

What makes the attack interesting is that the user of the contagious computer, like the historical figure Typhoid Mary, is likely to be unaware of his or her role in spreading ads to other computers on the same network. What's more, those receiving the ads won't find any malware on their machines, assuming it's adware rather than malicious software that's being spread.

"We have developed three proofs of concept to demonstrate that this is a viable threat, tested it on wired and wireless networks, and inserted advertisements into both HTML and streaming video," the researchers claim in a paper describing the attack published in March and presented in May. "The general idea can be extended for other types of network and applications."

The attack involves a form of Address Resolution Protocol (ARP) spoofing in which machines connecting to the network are duped into treating the infected computer as the network gateway rather than the actual router. It is thus a man-in-the-middle attack.

The researchers demonstrated that they could re-write HTML to insert unauthorized ads over authorized ones and to alter Web page text. This technique could just as easily be used to insert a malicious iFrame.

They also showed that they could insert JavaScript, to deliver pop-up banners or floating text ads.

In addition, they demonstrated that they could insert ads into video requested by victims, by caching and altering Flash video files and Flash video streams.

As a defense, the researchers propose a special Internet cafe setting designed to prevent ARP spoofing.

"[O]ur special setting would gather the MAC address of that router and automatically set it in the static IP-to- MAC mapping table at the client’s machine," the researchers explain. "By doing this, even if a malicious node is able to send fake ARP messages to the router, the ARP spoofing process would fail as the potential victim would not accept the malicious MAC address as being the router's."